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Abstract 



Reynold's abstraction theorem is now a well-established result for a large class of type systems. 
We propose here a definition of relational parametricity and a proof of the abstraction theorem 
in the Calculus of Inductive Constructions (CIC), the underlying formal language of Coq, in 
which parametricity relations' codomain is the impredicative sort of propositions. To proceed, 
we need to refine this calculus by splitting the sort hierarchy to separate informative terms from 
O f non-informative terms. This refinement is very close to CIC, but with the property that typing 

judgments can distinguish informative terms. Among many applications, this natural encoding 
of parametricity inside CIC serves both theoretical purposes (proving the independence of propo- 



sitions with respect to the logical system) as well as practical aspirations (proving properties of 
finite algebraic structures). We finally discuss how we can simply build, on top of our calculus, 
a new reflexive Coq tactic that constructs proof terms by parametricity. 
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The Coq system [21] is a proof assistant based on the Curry-Howard correspondence: propo- 
£N| , sitions are represented as types and their proofs are their inhabitants. The underlying type 

system is called the Calculus of Inductive Constructions (CIC in short). In this type sys- 
tem, types and their inhabitants are expressions built from the same grammar and every 
well-formed expression has a type. 
5^ ' One specificity of Coq among other interactive theorem provers based on Type Theory 

is the presence of an impredicative sort to represent the set of propositions: Prop. Impred- 
icativity means that propositions may be built by quantification over objects which types 
inhabit any sort, including the sort of propositions (for instance the Agda language has a 
similar type system except that propositions live in predicative universes [IB])- This sort 
plays a decisive role in the Coq system: in addition to guaranteeing the compositionality of 
the propositional world, it contains the non-computational content, i.e., expressions meant 
to be erased by the program extraction process. In particular, it allows the user to add 
axioms (like the law of excluded middle, axiom of choice, proof irrelevance, etc..) without 
jeopardizing program extraction. 
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The other sorts are a predicative hierarchy of universes called Type , Type l5 .... Contrary 
to Prop, it is stratified: one is not allowed to form a type of a given universe by quantifying 
over objects of types of higher universes (stratification has been introduced in order to 
overcome Girard's paradox, see [7] for details). The sort Type (also called Set) contains 
data-types and basic informative types. And Typej contains types that are quantified over 
elements of Type , and so on. 

One major component of Coq is its extraction mechanism |15j . which produces an un- 
typed term of a ML-likc language from any well typed term of Coq. One obvious interest is 
to obtain certified ML code. Roughly speaking, it proceeds by replacing type annotations 
and propositional subterms by a dummy constant. A difficulty of program extraction is to 
decide which terms are informative and which may be erased. The presence of the sort Prop 
only partially solves this problem in Coq since the system has to distinguish computations 
over data types from computations over types, although they all live in Type. 

In this paper, we propose a new calculus which refines the Calculus of Inductive Con- 
structions, called CIC r . By adding a new predicative hierarchy of sorts Set , Seti, it 
confines the types of all informative expressions and purges the hierarchy Type , Type 1; ... 
of all computational content. In other words, it guarantees that inhabitants of types in Set 
are the only expressions which do not disappear during the extraction process. 

In spite of that, this new calculus may be naturally embedded into CIC by a very simple 
forgetful operation. Moreover it remains very close to CIC and in practice only few terms are 
not representable in CIC r . That is why it represents a big step towards an implementation 
in the Coq system. 

Being able to identify expressions with computational content - or in other words pro- 
grams - was essential to achieve our initial goal: formalizing the parametricity theory for 
the Calculus of Inductive Constructions. 

Parametricity is a concept introduced by Reynolds [H] to study the type abstraction 
of System F. It expresses the fact that well-typed programs must behave uniformly over 
their arguments with an abstract type: if the type is abstract, then the functions do not 
have access to its implementation. Wadler [55] explained how this could be used to deduce 
interesting properties shared by all programs of the same type. Later, Plotkin and Abadi [21j 
introduced a logic in which these uniformity properties can be expressed and proved. This 
logic may be generalized into a second-order logic with higher-order individuals |23U27| . 

The main tools of parametricity theory are logical relations defined inductively over the 
structure of types together with the so-called abstraction theorem, which builds a proof that 
any closed program is related to itself for the relation induced by its type. For instance the 
relation induced by the type Va, (a —> a) — > a — > a of Church numerals is given by the 
following definition (represented here in Coq using the standard encoding of relations) : 

Hf f '■ Va.(a — > a) -4 a — > a).Va a' (R : a — > a' -4 Prop) (g : a — > a)(g' : a' — > a). 

(Vx x'.R x x' ->■ R (g x) (g' x')) ->■ Vz z'.R z z' R(fagz) (/' a' g' z') 

The abstraction theorem tells that any closed term F of type Va, (a — > a) — > a — > a is 
related to itself according to this relation. 

Recently, the work from Bernardy et al. [S] generalized these constructions up to a 
large class of Pure Type Systems and showed that parametricity theory accommodates 
well with dependent types. But this cannot be straightforwardly adapted to CIC, because 
parametricity relations live in higher universes instead of using the standard encoding of 
relations in Prop. Besides, it is difficult to make parametricity relations live inside Prop 
while conserving abstraction. 
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But paramctricity in a system like Coq would be profitable: it could lead to more automa- 
tion, for instance for developing mathematical theories: we give here an example in finite 
group theory (Section 15. 3|) . Basing on our refined calculus, we started an implementation 
of a Coq tactic that can build closed instances of the abstraction theorem [TJ. 

The paper is organized as follows. After explaining in details why we need to refine 
the Calculus of Inductive Constructions, we present CIC r in Sections [5] and [3J Section S] 
is devoted to the definition of relational paramctricity, and the proof of the abstraction 
theorem, without and with inductive types. In Section we present different kinds of 
"theorems for free" that are derived from the general abstraction theorem, like independence 
of the law of excluded middle with respect to CIC r or standard properties of finite groups. 
We finally explain the algorithm behind the implementation of the Coq tactic (Section [5]) 
before discussing related works and concluding. 

2 CIC, : a refined calculus of constructions with universes 

2.1 The need for a refinement 

In older versions of CIC, Set was not a synonym for Type but a special impredicative sort 
containing data-types and basic informative types. However, there is a smaller demand from 
the users for the impredicativity of Set rather than the possibility to add classical axioms 
to CIC, and having both may lead to the inconsistency of the system (the conjunction of 
excluded middle and description conflicts with the impredicativity of Set [H3])- As a result, 
nowadays Set is predicative and behaves in CIC as the first level of the hierarchy of universes. 

In CIC r , we want to reintroduce the sort Set of informative types in order to mark 
the distinction between expressions with computational content and expressions which are 
erased during the extraction process. To stay close to CIC, we want Set to be predicative, 
so we introduce a hierarchy of sorts Seto, Seti, . . . 

In the refinement, the CIC hierarchy of sorts Type is thus divided into two classes : a 
hierarchy of sorts Set, whose inhabitants have a computational content, and a hierarchy 
of sorts Type, whose inhabitants are uninformativc. There is a difference of level between 
inhabitants of Set and inhabitants of Type: the inhabitants of Set are inhabited only by 
non-habitable expressions whereas Type contains the signatures of predicates and type con- 
structors which are themselves, when fully applied, inhabited respectively by proofs and 
programs. 

In Coq, deciding to which of this two classes an expression of type Type belongs is 
essential in the extraction mechanism. In the original two-sorted calculus of constructions 
(i.e. without universes), the top-sort contains only arities and therefore the level of terms 
can be easily obtained by looking at the type derivation and the extraction procedure is 
simple [19) . However, in Coq, to extract the computational content of an inhabitant of sort 
Type, the extraction algorithm decides if a type is informative by inspecting the shape of its 
normal form |16II17| . Therefore termination of extraction relies on the normalization of CIC. 
It makes the correction of the extraction difficult to formally certify. 

2.2 Presentation of the calculus 

The syntax of CIC r is the same as the standard calculus of constructions except that we 
extend the set of sorts. Terms are generated by the following grammar: 



A, B 



x | s | Vx : A.B | A.t : A.B 



(AB) 
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1 < j Set, <: Set, ( SUBl ^ 1 < j Type, <: Type,- (SUBl - 2) 

A <: B , c ^ 

Vx : C.A <: V* : OB (S ' 

Figure 1 Subtyping rules 

where s ranges over the set {Prop} U {Set^, Type i+1 \i G N} of sorts and x ranges over the 
set of variables. In the remaining of the paper, when no confusion is possible, Set stands 
for "Seti for some i", and Type stands for "Type i for some z". The notation i V j represents 
the maximum of i and j . 

As usual, we will consider terms up to a-conversion and we denote by A[B/x] the term 
built by substituting the term B to each free occurrence of x in A. The /3-reduction > is 
defined as in CIC, and we write A = B to denote the /3-convcrsion. 

A context T is a list of couples x : A where X is a variable and A is term. The empty 
context is written (}. The system has subtyping, given by the rules in Figure [TJ The typing 
rules of CIC r are given in Figure [2] 

The word type is a synonymous for a term that can be typed by a sort following those 
rules. We call informative types inhabitants of Set, programs inhabitants of informative 
types, propositions inhabitants of Prop and proofs inhabitants of propositions. The sort 
Type^ adds a shallow level to the system; it is populated with two kinds of terms: arities, 
which are terms whose head normal forms have the form V(xi : A±) . . . (x n : A n ).s where s 
is either Prop, Set, or Type^- with j < i; and higher-order functions that manipulate arities, 
and whose types are arities with Type i+1 as a conclusion. We say that a term has some sort 
s if s is the type of its type. 

3 Inductive types 

The calculus is extended with inductive definitions and fixpoints. The presentation is very 
similar to Chapter 4.5 of the Reference Manual of Coq [53], and one can report to it to have 
further details. 

3.1 Inductive types and fixpoints 

The grammar of CIC r terms is extended with: 

A,B,P,Q,F •■■:=■■ ■ | / | c | case/(A, ~$ , P, ^) | fix(x : A).B 

We write Ind p (7 : A, c\ : Ci,...,Ck ■ Ck) to state that / is a well- formed inductive 
definition typed with p parameters, of arity A, with k constructors c\, . . . , Cfe of respective 
types Ci, . . . , Ck- It requires that: 

1. the names / and Cj are fresh; 

>P >™ 

2. A is a well-typed arity of conclusion Prop of Set: it is convertible to V(cc : P) (y : B) .r 
where r G {Prop, Set}; 

3. for any j, Cj has the form V(x : P) (z : Ej) .Ix Dj where / may appear inside the 
EjS only as a conclusion. This is called the strict positivity condition, and is mandatory 
for the system to be coherent [5] ; 
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hProp:Type 1 ( AXl ) h Set; : Type 4+1 ( Ax2 ^ h Type- : Type l+1 AX3 



X * r >°* S tJ-aV^A < Va ») X ^seS T ^^ A ^^ S (Weak) 



B = C,seS rhA: ^A T B hB ' S (CONV) B<:C tIa'.C (CUM) 

. T\- A:r T, x: A\- B : Set, , , , 
r E {Prop, Set,, TypeJ , : . L/ , : s ,t, " W 

rh,4:r r,i:4hB: Type - 
r s {Prop, Set, Type J f p - ■ ^ - ■ — (V 2 ) 

ThAig r,x:^hg:Prop 
S G 5 1 :,:,l./i:Prop (Vs } 

r\-M:Wx:A.B T \- N : A (A , T,x:AhB:C 



r h M JV : B[JV/a;] T h Aa; : A.B : Vz : A.C 

Figure 2 The refined calculus of construction with universes : CIC r 

4. for any j, V(z : Ej) .Ix Dj is a well-typed expression of sort r under the context 
({xTP)\l:A). 

Notice that we do not allow inductive definitions in a nonempty context, but this is only for 
a matter of clarity. 

Declaring a new inductive definition adds new constants / and Cj to the system, together 
with the top left two typing rules presented in Figure [3J 

The bottom rule of Figure [3] is the typing rule for the case construction which is used 
to implement elimination schemes. Two sorts are involved in eliminations: s, the sort of the 
inductive type we eliminate, which may be Prop or Set; and r, the type of the type of the 
term we construct, which may be Prop, Set or Type. The four cases of elimination that do 



(Ind) — — - (Constr) / is guarded ^ ' ' A f , ( Flx ) 



hi: A v ' \~ c 3 :Cj K J J T h f ix(/ : A).M : A 



: > n 

ThM:IQ P G r h T : Vy : B\C$ P /l£ p ] .1 ~($ P if 



f — - - - - — yrij yn 

r h Fj : V(z : Ejffi /H*]) .T D j [Q P j^ v \ ( Cj efV" 
r h case/ 

Figure 3 The rules for an inductive type Ind p (J : A, ci : Ci, . . . , Ck '■ Ck 



(under restr.) — ■ ■ 3 — (Case) 
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not involve Type are called small eliminations. They are used to build: 
jm proofs and programs by inspecting programs; 
h proofs by inspecting proofs; 

m programs by inspecting proofs under restriction (TJJ) (see below). 

The other two cases are called large eliminations. Strong elimination is mainly used to build 
propositions by case analysis and to internally prove the minimality of informative inductive 
definitions. For instance, using large elimination over nat, one may build a predicate P of 
type nat — > Prop such that PQ = T and P (S 0) = _L and thus proves that ^ (S 0). 
Similarly, large elimination may be used to build informative types (for instance, to build 
a "type constructor" T a ^ : nat — > Set parametrized by a type a and an informative type 
(3 such that T a ^ n = a — >•••—!>«— > ft with n occurrences of a) or to build arities (for 
instance, to build an "arity constructor" A a : nat — > Type parametrized by a type a such 
that A a n = a —>••••—> a — > Prop with n occurrences of a). 

Eliminations from Prop to other sorts are restricted to inductive definitions that have at 
most one constructor, and such that all the arguments (which are not parameters) of this 
constructor are of sort Prop: 

/ — >m\ 
k = or I k = 1 and h E : Prop for any E E E 1 (1) 

This is essential for coherence [7] and has a computational interpretation: it is natural that 
computing an informative type should not rely on any proof structure, that would disappear 
during program extraction [15LI16] . 

► Example 1. Here are a few examples of inductive definitions: 
Ind°(nat : Seto, : nat, S : nat — > nat) 

■ Ind^list, : Set; Set,-, nil; : VA : Set, . list, A, cons, : MA : Set, .A -> 
list, A -> list. t A) 

mt Ind°(True : Prop, I : True) 
b Ind°(False : Prop) 

Ind 2 (eq 4 : V(A : Seti).A A Prop, reflj : M{A : Seti)(a; : A).eq i xx) 

■ Ind 2 (eqP : V(A : Prop). A ->• A ->• Prop, ref IP : \/(A : Prop)(x : A). eqP x x) 

■ Ind 2 (eqT i : V(A : TypeJ.^4 ->• A -> Prop, ref IT, : V(^4 : Type i )(x : A). eqT 4 xx) 

Note that we have three levels of Leibniz equality: eq 4 for comparing programs, eqP for 
comparing proofs and eqT i for comparing everything else (we find the same kind of tripli- 
cation for other standard encodings like cartesian product, disjoint sum and the existential 
quantifier). 

The second operator to deal with inductive definitions is fixpoint definition. The typing 
rule for the fixpoint is defined on the top right of Figure [3] It is also restricted to avoid 
non-terminating terms, which would lead to absurdity. The restriction is called the guard 
condition: one argument should have an inductive type, and must structurally decrease on 
each recursive call. One may refer to for further details. 

We extend the reduction with the t-reduction rules: 

case/( Ci g M ,Q ,T,F ) > F 3 M 
(f ix(/ : A).M) ( Cj ^ A?"' ) > M[f ix(/ : A).M/f) ( Cj tf a!"') 

and = denotes the /3i-equivalence. 
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3.2 Embedding CIC r into CIC and coherence 

This calculus embeds easily into CIC by mapping Set,; and Type i onto the sort Type 4 of CIC: 

► Lemma 1. Let | • | be the context-closed function from terms of CIC r to terms of CIC such 
that | Prop | = Prop and | Type ; | = | Set; | = Type i? then we have : 

rh A:B^\T\hac \A\ : \B\ 

Since \\/X : Prop .X\ = VX : Prop .X, the logical coherence (the existence of an unprovable 
proposition) of CIC ensures the coherence of CIC r . 

Conversely, some terms of CIC do not have a counterpart in the refinement: we cannot 
mix informative and uninformative types. An example is the following Coq definition: 

fun (b:bool) if b then nat else Set 

4 Relational parametricity 

In this setting, we have a natural notion of parametricity: wc can define a translation that 
maps types to relations and other terms to proofs that they belong to those relations. What 
is new is that relations over objects of type Prop or Set have Prop as a codomain, which is 
more natural in a calculus with an impredicative sort for propositions. 

We go step by step. First, we define parametricity for the calculus without inductive 
types, and show the abstraction theorem for this restriction. Subsequently, we add inductive 
types with large eliminations forbidden, and finally see how large eliminations behave with 
parametricity. 

4.1 Parametricity for the calculus without inductive types 

► Definition 1 (Parametricity relation). The parametricity translation [•] is defined by induc- 
tion on the structure of terms: 



101=0 (i) 

[r, x:A}= [r], x :A,x' : A', x R : {A} x x' (2) 

lsj=X(x : s){x' : s).x ^ x' ^ s (3) 

M=x R (4) 
^/x:A.Bj = X(f : V.t : A.B)(f :W : A'.B'). V(x : A)(x' : A')(x R : [Ajxa/). 

lB}(fx)(f'x>) (5) 

IXx : A.Bj =X(x : A)(x' : A'){x R : Mn-').[B] (6) 

[(AB)]={[A}BB'IB}) (7) 



with Prop = Set.; = Prop and Type^ = Type,- and where A' denotes the term A in which we 
have replaced each variable a; by a fresh variable x' . 

It is easy to prove by induction that the previous definition is well-behaved with respect 
to substitution and conversion: 

► Lemma 2 (Substitution lemmas). 1. (A[B/x})' = A'[B'/x'] 

2. [A[B/x]]= lAl[B/x][B'/x'][m/x R ] 

3. A\ = p A 2 [Ai] = p [At] 
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Qi(Q ,T,F )=\{x:A)(x':A')(x r :IA}xx') (a : IQ l? n ){a':IQ' x' ) 

; >p ; — > n 

(an ■ PIQQ'IQl xx'xr a a'). 

{Tjxx xr a a a R (case/ (a, Q , T, F )) (case/ (a , Q , T ,F )) 

■ Figure 4 The definition of 0/ 

The abstraction theorem states that the parametricity transformation preserves typing. 
► Theorem 1 (Abstraction without inductive definitions). If T h A : B, then [TJ h A : B, 
[T] h A' : B', and {Tj h (Aj : {Bj A A' . 

Proof. The proof is a straightforward induction on the derivation of T h A : B. The 
first item is essentially proved by invoking structural rules and by propagating induction 
hypothesis. The key steps of the second items are the rule (AX2), which requires cumulativity, 
and the rules (V1-V3), which involve many abstraction and product rules. -4 

4.2 Why does not it work directly in CIC? 

In the syntactic theory of parametricity for dependent types presented in [S] , relations over a 
type of some universe are implemented as predicates ranging in the same universe. This can 
be read in the following piece of definition : [TypeJ = \{xx' : Type^.x — > x' — >• Type^. We 
cannot simply replace the conclusion with Prop, because in CIC one has h Type ; : Type.- +1 , 
and the abstraction theorem would require that h [TypeJ : [Type i+1 ] Type^ Type^ which 
is equivalent to h X(x x' : TypeJ. x — > x' — >• Prop : Type. ; — ^ Type^ — > Prop but this last 
sequent is not derivable. In our refinement, [Prop] and [Set] have Prop as a conclusion, 
but this is not a problem since we do not have h Set^ : Set^+i. 

This refined calculus is very convenient to set the basis for parametricity. As we argued, it 
has also nice properties regarding rcalizability and extraction: as an example, the correctness 
of extraction in this calculus would not rely on the termination of the /3-reduction. Even if 
possible, obtaining the same result directly in CIC would have required a complete reworking 
of parametricity relations. 

The calculus is very close to CIC, though. In Section [HI we discuss if it is possible to 
write a tactic in Coq that would exploit this work, without changing Coq's calculus. 

4.3 Adding inductive types 

As a first step, we restrict ourselves to small eliminations: we do not allow large eliminations. 
We will see in Subsection 14.41 that we are actually able to handle large eliminations over a 
big class of inductive definitions. 

We write T hgE A : B to denote sequents typable in CIC r where large eliminations are 

forbidden. Let us suppose that Ind p (I : A,c7d ), we will define a fresh inductive symbol 
[7] and a family ([cj])j = i...fe of fresh constructor names. Then we extend Definition Q] with 

[fix(x : A).B] =(f±x(x R : [A]ia;').[B]) [fix(x : A).B/x][f±x(x' : A').B'/x'] 

[case 7 (M, T, f")] = case w (p\/J, Q, Q' , [of, 6 / (^, T, f"), pf) 

where Qi is defined in Figure |4) 

We want to extend Theorem [T] with inductive definitions. We prove the following theorem: 
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► Theorem 2 (Abstraction with inductive definitions). 1. If Ind p (7 : A, c : C ) is a valid in- 
ductive definition then so is Ind 3 P([i] : [A] I J, [c] : \C]cc' ). 
2. If r hsE A : B then [r] h SE A : B, [T] h SE A' : B', and [r] h SE [A] : [5]AA'. 

Proof. The first item requires to check the constraints to build inductive types: the typing 
and the strict positivity. As for Theorem [TJ the second item is proved by induction on 
the structure of the proof of T h A : B. One needs to check that the guard condition is 
preserved in the (Fix) rule and that the (Case) rule is well-formed. The key idea here 
is that the translation of terms containing only small eliminations also contains only small 
eliminations. -4 

4.4 Overcoming the restriction over large elimination 

Suppose we now authorize the whole large elimination (with restriction fT])). The definition 
generated by the following inductive definition Ind°(boxi : Setj.fi, close.; : Set; — > box.;) is 

Ind° fjboxj] : box^ — > box.; — > Prop, 

[close.;] : V(AA' : Set*). (4 -> A' ->■ Prop) ->■ [box,;] (close.; A) (close, A')) 

If we want to prove parametricity for the (Case) rule when we build a Type, one should 
provide an inhabitant of: V(AA' : Set*). [box*] (close^ A) (close. A') -> (A -> A' -> Prop). 
But since [box.;] (close^ A) (close^ A') has type Prop and A — > A' — > Prop has type Type, 
we cannot build the expected relation by deconstructing a proof of [box,] (close.; A) (close^ A'): 
this is forbidden by restriction (TTJ). 

However, let us consider the following example: 

Ind°(7 : Set, N : nat -> I, B : bool I) 



Let say we need to translate the following large elimination (for the sake of readability, we 
present it with the Coq syntax): 



Definition f (x : I) : 


= match x with 


1 N n =>• vector n 




1 B b =>• nat 




end . 





We can swap the destruction of xr for two nested destructions of x and x' which produces 
k 2 branches (where k in the number of constructors). But only k of them are actually 
possible (we use here the Program keyword in order to let the system infer dependent type 
annotations for each match): 



Program 


Definition f_R (x x' : I) 


(x_R : [I] x x') := 




mat ch 


X 


with 






1 N n 




match x' with 






1 N 


n 


=> let n_R := inv n n' x 


_R in [vector n] 




1 B 


b 


=> absurd (vector m- nat 


— >Prop) (absi2 n b' 


x_R) 


end 










1 B b 


=> 


match x' with 






1 N 


n 


=> absurd (nat— > vector n 


'— >Prop) (abs2i b n 


x_R) 


1 B 


b 


=> [nat] 






end 










end . 
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where the following terms are all implemented with an authorized large elimination: 

inv : V(nra' : nat). [J] (Nn) (Nn') -> [natjnn' 

absia : V(n : nat) (6' : bool).[J] (Nn) (Bb') -4 False 

abs 2 i : V(6 : bool)(n' : nat).[i] (B6) (Nn') -4 False 

absurd : V(a : Type). False — > a 

We notice that this example runs smoothly because all the arguments of all the constructors 
have type Prop or Set, which avoids the pitfall of the box example. 

That is why we propose to restrict large elimination from Set to Type to the class of 
small inductive definitions (this class was introduced by Paulin in to restrict the large 
elimination in vanilla Coq where the sort Set of informative types is impredicative): 

► Definition 2 (Small inductive definitions). We say that Ind p (7 : A, c : (3 ') is a small inductive 
definition if all the arguments of each constructor are of sort Prop or Set m for some m. More 

formally, if for all 1 < i < k, h c t : V(x : P) (y: B) .1 lf p Dj then x : P ,y: B h Bj : r 
with r = Prop or r = Set m for some m. 

With this restriction, the abstraction theorem holds in presence of large elimination: 

► Theorem 3. Theorem [2] holds when Kse stands for derivability where large elimination is 
authorized over small inductive definitions and forbidden otherwise. 



5 Examples of "free theorems" 

In this section we give a few examples of consequences of the abstraction theorem. Most 
examples that can be found in the literature (see for instance [SUS]) m ay be easily imple- 
mented in our framework. To improve readability, we use "= a " and "3x : a" to denote 
respectively standard inductive encodings of the Leibniz equality and existential quantifier. 

5.1 The type of Church numerals 

Let church,; be Va : Set^, (a — > a) — > a — > a, the type of Church numerals. Let iter^ be 
the following expression 

fix iter^ : nat — > church; .\(n : nat)(a : Seti)(/ : a —> a)(z : a). 

case(n, Afc : nat .a, z, Xp : nat ./ (iter^ pa f z)) 

which is the primitive recursive operator which composes a function n times with itself. 

The relation [churchy] : church; — > church; — > Prop is the relation unfolded in the 
introduction. One can prove easily the following property on any / : church;: 

[[church;] / / — > 3n : nat .V(o : Seti)(g : a — >• a)(z : a), iter,; nag z = a f ag z 

which states that, if / is in relation with itself by [churchy], then there exists an integer n 
such that / is extensionally equal to iter; n. Now suppose we have a closed term F such 
that h F : churchy. By the abstraction theorem we obtain a proof [i 71 ]] that [churchy] F F 
and therefore that F is extensionally equal to iter; n for some n. 



C. Keller and M. Lasson 



409 



5.2 The tree monad 

Binary trees carrying information of type a on their leaves may be implemented by the 
following inductive definition : 

Ind 1 (tree.; : Set.; — > Set^+i , leaf i : Va : Set; .a —> T a, node; : Va : Set; .T a — > T a — > T a) 

and it is possible to represent in CIC the function map^ of type V(a j3 : Seti).(a — > j3) — > 
tree.; a — > tree^ (3 which maps a function to all the leaves of a tree. 

The generated relation [tree;] tells that two trees are related if they have the same 
shape and elements at the same position in each tree are related. It is then not difficult to 
prove for any function / : a — > a' that [tree.;] act' Rf is a relation representing the graph 
of the map function where Rf is X(x : a)(x' : a'). fx = a / x' and represents the graph of /. 

We can also define in the system the multiplication of the monad by programming 
an expression \xi of type Va.tree; (tree; a) — > tree^ a with the following computational 
behavior: 

Hi a (leaf; ax) = x and /i; a (node^ a x y) = node; a (/i; a x) (/x; a y) 

As im is closed, an application of the abstraction theorem which instantiates the relation to 
the graph of / proves the naturality of 

5.3 Parametricity and algebra 

Obtaining "free theorems" by parametricity can be extended to data types with structure. 
In this section, we take the example of finite groups, which is directly related to the Ssreflect 
library [12j developed in Coq; but our reasoning applies to a large variety of algebraic 
structures. 

In Chapter 3.4 of his PhD. thesis [9], Frangois Garillot observed that algebraic devel- 
opments require lots of proofs by isomorphism, which often look similar. Intuitively, a 
polymorphic function operating on groups can only compose elements using the laws given 
by the group's structure, and thus cannot create new elements. 

More formally, we take an arbitrary group TL defined by a carrier a : Seto, a unit element 
e : a, a composition law • : a — > a — > a, an inverse function inv : a — > a, and the standard 
axioms stating that • is associative, e is neutral on the left and composing with the inverse 
on the left produces the unit. On top of this, we define the type of all the finite subgroups 
of 7i with the following one-constructor inductive definition: 



where G: a — > list a — > Prop is the standard inductive predicate stating if an element 
appears in a list. 

Suppose we have a closed term Z : f ingrp — > f ingrp (examples of such terms abound: 
eg. the center, the normalizer, the derived subgroup. . . ). The abstraction theorem states 
that for any R : a — > a — > Prop compatible with the laws of 7i and for any GG' : f ingrp, 
[f ingrpjij GG' — > [f ingrp] r (Z G) {Z G') where [fingrp]^ is the relation on subgroups 
induced by R. Given this, we can prove the following properties: 
cz: for any G, Z G C G (if we take R : xy H> x e G); 



Ind I f ingrp : Seto,Fingrp : Velements : list a. 
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for any G, for any (j) a morphism of %, <p(Z G) = Z <fi(G) (if we take R : xy M> y = (f>(x)). 

It entails that Z G is a characteristic subgroup of %. 
To prove this, we use the axiom of proof irrelevance (that can be safely added to the system 
as we will show in the next subsection). The proof is straightforward by unfolding the 
definitions. A complete Coq script can be found online FjQ. 

5.4 Classical axioms 

One interesting feature of Coq is the ability to add axioms in the system. However when 
the parametricity transformation [•] will encounter the axiom, it will ask for a proof that it 
is related to itself. Let consider an axiom P such that hP:s where s is Prop or Set. Here 
three situations are possible: 

■i Either P is what we call provably parametric: the user can provide a proof of V/i : 
P. [P] h h and this proof may be used by the abstraction theorem to prove parametricity 
for terms involving the axiom. 

h Or P is provably not parametric: there exists a proof that \f(hh' : P).-<(fP^hh'). It 
means that the axiom would break the parametricity of the system: there is no way to 
invoke the abstraction theorem on a term which uses that axiom. 

h Or it is neither provably parametric nor provably not parametric or the user does not 
know. In this case, the parametricity of the axiom may be added as a new axiom at the 
user's risk. 

Note that if -P is provable then P is both provably parametric and provably not parametric 
and by the abstraction theorem, if P is provable then it is of course provably parametric. 
It is also easy to deduce from the abstraction theorem that if P — > Q is provable then P 
provably parametric implies Q provably parametric, and Q provably not parametric implies 
P provably not parametric. Hence these notions do not depend on the formulation of your 
axioms. 

5.4.1 Proof irrelevance 

The axiom of proof irrelevance PI = \/(X : Prop)(pg : X),p =x q states that there is at 
most one proof of any proposition. It is provably parametric since 

[PI] h ti = V(X X' : Prop) (X R : X -> X' Prop) 

(p : X)(p' : X')(p R : X R pp')(q : X)(q' : X')(q R : X R q q'UeqPj X X'pp'p R q q' q R 

may be proved (with PI) equivalent to 

V(XX' : Prop) (X R : X -> X' -> Prop)(p : X){p' : X')(p R : X R pp'). 
[eqP]X X'pp'p R pp'p R 

which is directly provable by [ref IP]. Therefore PI may be safely added to the system. 

5.4.2 Independence of the law of excluded middle 

From a user perspective provably not parametric axioms are bad news, but it provides 
meta-theoreticians a very simple way to prove independence results. Indeed, if a formula is 
provably not parametric then the abstraction theorem tells you this formula is not provable 
without large elimination over not small inductive definitions. 
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► Lemma 3. If P is provably not parametric, there is no closed term A of type P (in the 
restriction of large elimination to small inductive definitions). 

For instance, Peirce's law Peirce = \f(XY : Prop). ((A -> Y) -> X) — > X (which is 
known to be equivalent to the excluded middle) is provably not parametric. 

6 Towards a Coq implementation 

This paper sets the theoretical foundation for an implementation of a reflexive Coq tactic 
generating the consequences of paramctricity for definitions in the Calculus of Constructions. 
Two approaches are possible: 

modify Coq's calculus to implement CIC r . The implementation of the translation becomes 

straightforward; 

h do not modify Coq's calculus, but let the translation distinguish informative terms. 
The first approach would require to transform Coq radically. Wc followed the second ap- 
proach, and started the implementation of a prototype for Coq commands and tactics for 
paramctricity, called Coq Pa ram [TJ. 

In a system like Coq, reflection establishes a correspondence between: 
h a subset of the Coq terms: this is called the shallow embedding; 

h a Coq inductive data type representing these terms: this is called the deep embedding; 
h the OCaml internal representation of those terms. 

The deep embedding and the OCaml representation give access to the structure of the terms 
(whereas the shallow embedding does not), which is very useful to build properties and 
proofs by computing over this structure. This process, called computational reflection, is a 
well-known way to design powerful automatic tactics in Coq [21 IT51IT3] . 

Parametricity comes well within the spirit of computational reflection: the abstraction 
theorem is a way to build proofs of terms by inspecting their structures. Our tactic is based 
on this remark: given a well-typed closed term h A : B, it builds the well-typed proof 
b [A] : [BjAi, going from the shallow embedding to the OCaml internal representation 
(this step is called reification), and the other way round. The difficulty is to decide, during 
rcification, whether objects of type Type in Coq should have type Set or Type in CIC r . The 
tactic does not handle this yet (as well as full inductive types). 

Notice that, with this method, we do not have to generally prove the abstraction theorem 
in Coq: Coq's type checker will prove it on each instance. One may also be interested in 
a formal proof of the abstraction theorem. It means that the deep embedding should be 
defined. As the refinement is very close to Coq, this would thus require a large effort. 

7 Related works and discussion 

Since the introduction of paramctricity for system F [221126] , it has been extended to many 
logical systems based on Type Theory. Among others, we can cite system J-^ by Vytiniotis 
and Wcirich ^Z5\ and a large subset of PTSs by Bernardy et al. [q"1Io] . In all these presentations, 
no sort is imprcdicative, and parametricity relations live cither in a meta-logic or in a different 
sort than propositions. To our knowledge, this is the first time parametricity relations live 
in an imprcdicative sort representing propositions, making them more usable in a system 
like Coq. 

Bernardy et al. [5] also explain two possible ways to handle inductive definitions: one 
by translating induction principles, and one by defining a new inductive data-type as the 
translation of the initial data-type. Our approach is close to the second method proposed 
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by [5]- We also show how to translate fixpoint definitions, which are more common than 
inductive principles. 

Parametricity and parts of the abstraction theorem have been formalized for deep em- 
beddings of logical systems in Agda [5] and in Coq Our approach is different: we do 
not want to have a formal proof of the abstraction theorem (in a first step), but we want to 
have a practical tool that actually computes results produced by the abstraction theorem. 
This does not compromise soundness anyway, since the terms produced by this tool are 
type-checked by Coq's kernel. 

8 Conclusion 

As we argue throughout the article, the system presented here distinguishes clearly via 
typing which expressions will be computationally meaningful after extraction. It allows us 
to define a notion of parametricity for which relations lie in the sort of propositions. This 
opens up a new way to define automatic tactics in interactive theorem provers based on 
Type Theory. 

Moreover it is known that parametricity and rcalizability seen as syntactic constructions 
are closely related [5] . That is why it seems possible to build an internal realizability theory 
inside our framework. It would permit to develop a similar tactic to prove automatically 
that program extracted from any closed term will realize its own type. The user would then 
be able to use this proof to show the correctness of his programs without relying on the 
implementation of the extraction function. 

Finally, it remains to understand why parametric relations do not fit in the sort of 
proposition in presence of large elimination on non-small data types. We conjecture that 
parametric relations for large inductive definitions are not proof-irrelevant (in particular, 
they cannot be interpreted as set-theoretical relations). 
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